Databases Reference
In-Depth Information
This produces results like those shown in the following screenshot:
The last line represents everything that didn't fit into the top five.
useother
enables this last row, while
otherstr
controls the value printed instead of the
default value "other".
For the opposite of
top
, see the
rare
command.
Using stats to aggregate values
While
top
is very convenient,
stats
is extremely versatile. The basic structure of a
stats
statement is:
stats functions by fields
Many of the functions available in
stats
mimic similar functions in SQL or Excel,
but there are many functions unique to Splunk. The simplest
stats
function is
count
. Given the following query, the results will contain exactly one row, with a
value for the field
count
:
sourcetype="impl_splunk_gen" error | stats count
Using the
by
clause,
stats
will produce a row per unique value for each field listed,
which is similar to the behavior of
top
. Run the following query:
sourcetype="impl_splunk_gen" error | stats count by logger user
Search WWH ::
Custom Search